HN won't let me respond to your last comment, but I think that's a reasonable plan. Using LDAP directly over the internet in general sounds like a bit of a risky proposition. Perhaps do both that and SAML, then you make everyone happy. Again, good luck, I hope I was able to help you firm up your ideas.
Medium sized orgs that want LDAP (and might not have the necessary Linux / Unix skills) just use Active Directory. Also, if you don't wrap it in Kerberos, it might be difficult to gain adoption. I say this as someone considering themselves a LDAP SME having setup multimaster openldap with 68 slaves globally using delta syncrepl
Good luck!